✔️ Understanding a historical vulnerability

✔️ Null sessions can be found on legacy systems

✔️ Deepening your understanding of Windows Shares

Null session attacks can be used to steal a lot of information

Attackers steal info about:

• passwords
• system users
• system groups
• running system processes

→ remotely exploitable

this attack can be used to call:

• remote APIs
• remote procedure calls

These days Windows is immune to this attack, however, legacy hosts can still be vulnerable

• You can sometimes find them on enterprise networks. How come?
• What does a null session attack exploit?
• We'll go over the steps to exploit a Windows Null Session

1️⃣ Enumerating Windows Shares

first step in exploiting a Windows machine vulnerable to Null Sessions

we will use both Windows and Linux tools for this step.

🟦 nbtstat

most common command for enumerating Windows Shares

command line tool to display information about a target

nbtstat /? to see how to use it

Use case:

most commonly used to display information about a target with:

nbtstat -A <IP>

> nbtstat -A 10.130.40.80